Why Make Such A Statement?

“Our employees never click on the links or attachments in an email.” What would make a business owner compelled to make such an incorrect statement? Let’s start with the assumption, that I know with a great degree of certainty that such a statement is wrong nearly every time it is made. I will qualify that assumption shortly, but for now, if I am correct, why would a business owner make such a statement?

There are only a few reasons and most likely the answer is one or more of the following:

  1. Ignorance. I don’t mean that in an insulting way, I just mean that sometimes business owners and even managers are completely disconnected from the truth about their employees. They are often too busy to really know what their employees’ level of competency on such topics and they often are not training or testing to get better insight. Instead they give the benefit of the doubt and assume.
  2. Protection of negotiating power. In more descriptive terms, a prospective customer will often minimize the problem, because if the problem is seen in all of its full magnitude, then the solution for the issue may seem very expensive. Firewalls, endpoint protection, wireless protection, email security, training, testing….it all sounds very expensive! So, sometimes a customer will minimize the issue in order to avoid being sold a solution altogether or to avoid what is perceived as an expensive solution.

Neither of these are good reasons to minimize a problem that I know exists. How do I know? I see it every day! Phishing attempts are relentless and more and more sophisticated. There are more each day and they are more difficult to detect each day. Why? Because systems are not sophisticated enough yet to eliminate phishing attempts. Some are certainly squashed before they reach your users inbox, but those are typically the really poorly written phishing emails designed to penetrate the weakest of security solutions and the least informed individuals. The ones that get through decent systems appear to be much more legitimate and they are often specifically targeting individuals based on their roles and responsibilities (i.e. a phishing attempt that appears to be an invoice attached by a vendor sent to the accounts payable person in the company). They are also sent with very specific timing to take advantage of events that are taking place in order to provide a deeper disguise.

Still not convinced? Take my challenge! Contact me at marketing@itgroupva.com and ask for a trial Phish training campaign. I will coordinate a one-time test for your employees at absolutely no charge. If you are willing to allow the test to occur without mentioning it to anyone else in your organization, you will be shocked when we show you the reports indicating which users opened a phishing email, which ones clicked on a link or an attachment and which users actually submitted information upon request by the phishing email. Here is your chance to see just how educated your users are at no cost to you!


Paul Meadows,